XSS Methods Also Seen Being Used in Mass Compromises

We were about to investigate further on malicious activities related to banner82(dot)com/b.js but the URL was already inaccessible around Tuesday. Soon enough the malicious script in www(dot)adw95(dot)com caught our interest. A rough survey of the sites compromised by this script reveal that the sites involved some cross-site scripting (XSS), or SQL injection vulnerabilities, or a combination of both.

XSS Holes Endanger Users with Increasing Risks

I want to shed some light again on XSS because although it has been around for a long time, it has neither become less of an attractive attack method, nor has a fool-proof solution against it has been properly formulated.

XSS vulnerabilities can cause a variety of problems for the casual web surfer. These problems range in severity from mere annoyance to complete credential compromise. Some XSS attacks incorporate disclosure of the user’s session cookies, allowing an attack perpetrator to have complete control over the victim’s session and to (in effect) take over the account & hijack the HTTP session.

XSS attacks may also include redirecting the user to some other page or website, and modifying the content of a HTTP session. Other damaging risks include the exposure of the victim’s files, and subsequently the installation of Trojans and other damaging malware — and to what purpose? One can only guess because once the compromise is successful, the criminal’s next actions are open to unlimited possibility.

An XSS attacker utilizes varying methods to encode the malicious script in order to be less conspicuous to users and administrators alike. There are an unaccounted number of variations for these types of attacks, and XSS attacks can come in the form of embedded JavaScript — one of the more common implementations. But be forewarned — any embedded active content is also a potential source of danger, including: ActiveX (OLE), VBscript, Flash, and more.

Breaches in the Background

XSS issues can and do exist as well in the underlying Web and application servers too. Most Web and application servers use error mechanisms to display content access error pages, such as “404 page not found “and “500 internal server error”. If these pages reflect back any information from the user’s request, such as the URL they were trying to access, there are even greater chances that they are vulnerable to an XSS attack.

The possibility that a website contains XSS vulnerabilities is extremely high. There are countless ways to mislead Web applications into relaying maliciously injected scripts. Developers and website administrators seem to have a knack for missing these vulnerable application areas in their web implementations, but finding these configuration errors seems to be a walk in the park for attackers, since all they need is a browser and time (time which most of the defenders don’t have).

There are numerous free attack tools available,and worse, the most efficient ones are created by career criminals who happen to be at the disposal of anyone willing to pay for their warez. These tools readily aid in finding these flaws, and are increasing often crafted to inject XSS attacks into a target site.

XSS Vulnerability in Adw95(dot)com Attack

Here’s a closer look at the infection chain launched by the injection of malicious JavaScript into victimized websites:

Mass compromises seem to be all the rage these days, and exploiting XSS vulnerabilities are just one of the methods criminals can employ to silently worm their way into users’ PCs. Please see our Virus Encyclopedia for further details about the malware in this particular infection chain. Trend Micro users with updated patches are protected from these threats as of Pattern 5.305.00.

(Note: Malware may vary or change at any given time as we are still closely monitoring this incident).

Learn how to protect Enterprises, Small Businesses, and Home Users from ransomware: